Jetty RCE

This commit is contained in:
Swissky 2022-08-09 22:06:55 +02:00
commit 11271d9072
15 changed files with 270 additions and 196 deletions

View File

@ -20,9 +20,9 @@
- [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/) - [OWASP Testing Guide: Stable](https://owasp.org/www-project-web-security-testing-guide/stable/)
- [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting) - [Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman (2014)](https://nostarch.com/pentesting)
- [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure) - [Pentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments by Matt Burrough (2018)](https://nostarch.com/azure)
- [Pratical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis) - [Practical Binary Analysis: Build Your Own Linux Tools for Binary instrumentation, Analysis, and Disassembly by Dennis Andriesse (2019)](https://nostarch.com/binaryanalysis)
- [Pratical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging) - [Practical Forensic Imaging: Securing Digital Evidence with Linux Tools by Bruce Nikkel (2016)](https://nostarch.com/forensicimaging)
- [Pratical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking) - [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things by Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou and Beau Woods (2021)](https://nostarch.com/practical-iot-hacking)
- [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday) - [Practical Doomsday: A User's Guide to the End of the World by Michal Zalewski (2022)](https://nostarch.com/practical-doomsday)
- [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering) - [Practical Social Engineering: A Primer for the Ethical Hacker by Joe Gray (2022)](https://nostarch.com/practical-social-engineering)
- [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting) - [Real-World Bug Hunting: A Field Guide to Web Hacking by Peter Yaworski (2019)](https://nostarch.com/bughunting)

View File

@ -6,30 +6,41 @@
## Summary ## Summary
* [Tools](#tools) - [File Inclusion](#file-inclusion)
* [Basic LFI](#basic-lfi) - [Summary](#summary)
* [Null byte](#null-byte) - [Tools](#tools)
* [Double encoding](#double-encoding) - [Basic LFI](#basic-lfi)
* [UTF-8 encoding](#utf-8-encoding) - [Null byte](#null-byte)
* [Path and dot truncation](#path-and-dot-truncation) - [Double encoding](#double-encoding)
* [Filter bypass tricks](#filter-bypass-tricks) - [UTF-8 encoding](#utf-8-encoding)
* [Basic RFI](#basic-rfi) - [Path and dot truncation](#path-and-dot-truncation)
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers) - [Filter bypass tricks](#filter-bypass-tricks)
* [Wrapper php://filter](#wrapper-phpfilter) - [Basic RFI](#basic-rfi)
* [Wrapper zip://](#wrapper-zip) - [Null byte](#null-byte-1)
* [Wrapper data://](#wrapper-data) - [Double encoding](#double-encoding-1)
* [Wrapper expect://](#wrapper-expect) - [Bypass allow_url_include](#bypass-allow_url_include)
* [Wrapper input://](#wrapper-input) - [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
* [Wrapper phar://](#wrapper-phar) - [Wrapper php://filter](#wrapper-phpfilter)
* [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd) - [Wrapper zip://](#wrapper-zip)
* [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron) - [Wrapper data://](#wrapper-data)
* [LFI to RCE via upload](#lfi-to-rce-via-upload) - [Wrapper expect://](#wrapper-expect)
* [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race) - [Wrapper input://](#wrapper-input)
* [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile) - [Wrapper phar://](#wrapper-phar)
* [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo) - [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file) - [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions) - [LFI to RCE via upload](#lfi-to-rce-via-upload)
* [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files) - [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
- [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
- [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
- [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
- [RCE via SSH](#rce-via-ssh)
- [RCE via Mail](#rce-via-mail)
- [RCE via Apache logs](#rce-via-apache-logs)
- [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
- [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
- [Windows version](#windows-version)
- [Linux version](#linux-version)
- [References](#references)
## Tools ## Tools
@ -444,4 +455,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a) * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) * [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
* [PHP LFI to arbitratry code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376) * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)

View File

@ -5,19 +5,22 @@
## Summary ## Summary
* [Tools](#tools) - [GraphQL injection](#graphql-injection)
* [Exploit](#exploit) - [Summary](#summary)
* [Identify an injection point](#identify-an-injection-point) - [Tools](#tools)
* [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection) - [Exploit](#exploit)
* [Extract data](#extract-data) - [Identify an injection point](#identify-an-injection-point)
* [Extract data using edges/nodes](#extract-data-using-edges-nodes) - [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection)
* [Extract data using projections](#extract-data-using-projections) - [List path](#list-path)
* [Enumerate the types' definition](#enumerate-the-type-definition) - [Extract data](#extract-data)
* [Use mutations](#use-mutations) - [Extract data using edges/nodes](#extract-data-using-edgesnodes)
* [NOSQL injection](#nosql-injection) - [Extract data using projections](#extract-data-using-projections)
* [SQL injection](#sql-injection) - [Enumerate the types' definition](#enumerate-the-types-definition)
* [GraphQL Batching Attacks](#graphql-batching-attacks) - [Use mutations](#use-mutations)
* [References](#references) - [NOSQL injection](#nosql-injection)
- [SQL injection](#sql-injection)
- [GraphQL Batching Attacks](#graphql-batching-attacks)
- [References](#references)
## Tools ## Tools

View File

@ -3,7 +3,7 @@
## Summary ## Summary
HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value&param1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurance, some taking the last occurance, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms. HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value&param1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurrence, some taking the last occurrence, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.
## Tools ## Tools
@ -22,7 +22,7 @@ Origin Service - Reads second param. In this scenario, developer trusted WAF and
Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.) Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
``` ```
### Table of refence for which technology reads which parameter ### Table of reference for which technology reads which parameter
When ?par1=a&par1=b When ?par1=a&par1=b
| Technology | Parsing Result |outcome (par1=)| | Technology | Parsing Result |outcome (par1=)|
| ------------------ |--------------- |:-------------:| | ------------------ |--------------- |:-------------:|
@ -41,7 +41,7 @@ When ?par1=a&par1=b
| IBM HTTP Server |First occurrence |a | | IBM HTTP Server |First occurrence |a |
| Perl CGI/Apache |First occurrence |a | | Perl CGI/Apache |First occurrence |a |
| mod_wsgi (Python)/Apache |First occurrence |a | | mod_wsgi (Python)/Apache |First occurrence |a |
| Python/Zope |All occurences in array |['a','b'] | | Python/Zope |All occurrences in array |['a','b'] |
## References ## References
- [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/) - [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)

View File

@ -4,17 +4,20 @@
## Summary ## Summary
- [Tools](#tools) - [JWT - JSON Web Token](#jwt---json-web-token)
- [JWT Format](#jwt-format) - [Summary](#summary)
- [Tools](#tools)
- [JWT Format](#jwt-format)
- [Header](#header) - [Header](#header)
- [Payload](#payload) - [Payload](#payload)
- [JWT Signature - None algorithm](#jwt-signature---none-algorithm) - [JWT Signature - None algorithm](#jwt-signature---none-algorithm)
- [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256) - [JWT Signature - RS256 to HS256](#jwt-signature---rs256-to-hs256)
- [Breaking JWT's secret](#breaking-jwts-secret) - [Breaking JWT's secret](#breaking-jwts-secret)
- [JWT Tool](#jwt-tool) - [JWT tool](#jwt-tool)
- [JWT cracker](#jwt-cracker) - [JWT cracker](#jwt-cracker)
- [Hashcat](#hashcat) - [Hashcat](#hashcat)
- [References](#references) - [CVE](#cve)
- [References](#references)
## Tools ## Tools
@ -241,7 +244,7 @@ Please select an option from above (1-4):
Please enter the known key: Please enter the known key:
> secret > secret
Please enter the keylength: Please enter the key length:
[1] HMAC-SHA256 [1] HMAC-SHA256
[2] HMAC-SHA384 [2] HMAC-SHA384
[3] HMAC-SHA512 [3] HMAC-SHA512

View File

@ -1,15 +1,17 @@
# Open URL Redirection # Open URL Redirection
> Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access. > Un-validated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Un-validated redirect and forward attacks can also be used to maliciously craft a URL that would pass the applications access control check and then forward the attacker to privileged functions that they would normally not be able to access.
## Summary ## Summary
- [Exploitation](#exploitation) - [Open URL Redirection](#open-url-redirection)
- [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx) - [Summary](#summary)
- [Fuzzing](#fuzzing) - [Exploitation](#exploitation)
- [Filter Bypass](#filter-bypass) - [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
- [Common injection parameters](#common-injection-parameters) - [Fuzzing](#fuzzing)
- [References](#references) - [Filter Bypass](#filter-bypass)
- [Common injection parameters](#common-injection-parameters)
- [References](#references)
## Exploitation ## Exploitation
@ -25,7 +27,7 @@ What happens if we change the `famous-website.tld/account` to `evil-website.tld`
https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
``` ```
By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials. By visiting this url, if we get redirected to `evil-website.tld` after the sign-up, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
## HTTP Redirection Status Code - 3xx ## HTTP Redirection Status Code - 3xx

View File

@ -4,9 +4,12 @@
## Summary ## Summary
* [Tools](#tools) - [Race Condition](#race-condition)
* [Turbo Intruder Examples](#turbo-intruder-examples) - [Summary](#summary)
* [References](#references) - [Tools](#tools)
- [Turbo Intruder Examples](#turbo-intruder-examples)
- [Turbo Intruder 2 Requests Examples](#turbo-intruder-2-requests-examples)
- [References](#references)
## Tools ## Tools
@ -42,7 +45,7 @@
4. Click "Attack" 4. Click "Attack"
## Turbo Intruder 2 Requests Examples ## Turbo Intruder 2 Requests Examples
This follwoing template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds. This following template can use when use have to send race condition of request2 immediately after send a request1 when the window may only be a few milliseconds.
```python ```python
def queueRequests(target, wordlists): def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint, engine = RequestEngine(endpoint=target.endpoint,

View File

@ -6,7 +6,7 @@ Attempting to manipulate SQL queries may have goals including:
- Information Leakage - Information Leakage
- Disclosure of stored data - Disclosure of stored data
- Manipulation of stored data - Manipulation of stored data
- Bypassing authorisation controls - Bypassing authorization controls
## Summary ## Summary

View File

@ -4,59 +4,74 @@
## Summary ## Summary
* [Tools](#tools) - [Templates Injections](#templates-injections)
* [Methodology](#methodology) - [Summary](#summary)
* [ASP.NET Razor](#aspnet-razor) - [Tools](#tools)
* [Basic injection](#aspnet-razor---basic-injection) - [Methodology](#methodology)
* [Command execution](#aspnet-razor---command-execution) - [ASP.NET Razor](#aspnet-razor)
* [Expression Language EL](#expression-language-el) - [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
* [Basic injection](#expression-language-el---basic-injection) - [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
* [Code execution](#expression-language-el---code-execution) - [Expression Language EL](#expression-language-el)
* [Freemarker](#freemarker) - [Expression Language EL - Basic injection](#expression-language-el---basic-injection)
* [Basic injection](#freemarker---basic-injection) - [Expression Language EL - One-Liner injections not including code execution](#expression-language-el---one-liner-injections-not-including-code-execution)
* [Code execution](#freemarker---code-execution) - [Expression Language EL - Code Execution](#expression-language-el---code-execution)
* [Groovy](#groovy) - [Freemarker](#freemarker)
* [Basic injection](#groovy---basic-injection) - [Freemarker - Basic injection](#freemarker---basic-injection)
* [Read/Create file](#groovy---read-and-create-file) - [Freemarker - Read File](#freemarker---read-file)
* [HTTP Request](#groovy---http-request) - [Freemarker - Code execution](#freemarker---code-execution)
* [Command execution](#groovy---command-execution) - [Freemarker - Sandbox bypass](#freemarker---sandbox-bypass)
* [Sandbox bypass](#groovy---sandbox-bypass) - [Groovy](#groovy)
* [Handlebars](#handlebars) - [Groovy - Basic injection](#groovy---basic-injection)
* [Jade / Codepen](#jade--codepen) - [Groovy - Read and create File](#groovy---read-and-create-file)
* [Java](#java) - [Groovy - HTTP request:](#groovy---http-request)
* [Basic injection](#java---basic-injection) - [Groovy - Command Execution](#groovy---command-execution)
* [Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables) - [Groovy - Sandbox Bypass](#groovy---sandbox-bypass)
* [Retrieve /etc/passwd](#java---retrieve-etcpasswd) - [Handlebars](#handlebars)
* [Jinja2](#jinja2) - [Handlebars - Command Execution](#handlebars---command-execution)
* [Basic injection](#jinja2---basic-injection) - [Jade / Codepen](#jade--codepen)
* [Template format](#jinja2---template-format) - [Java](#java)
* [Debug Statement](#jinja2---debug-statement) - [Java - Basic injection](#java---basic-injection)
* [Dump all used classes](#jinja2---dump-all-used-classes) - [Java - Retrieve the systems environment variables](#java---retrieve-the-systems-environment-variables)
* [Dump all config variables](#jinja2---dump-all-config-variables) - [Java - Retrieve /etc/passwd](#java---retrieve-etcpasswd)
* [Read remote file](#jinja2---read-remote-file) - [Jinja2](#jinja2)
* [Write into remote file](#jinja2---write-into-remote-file) - [Jinja2 - Basic injection](#jinja2---basic-injection)
* [Remote Code Execution](#jinja2---remote-code-execution) - [Jinja2 - Template format](#jinja2---template-format)
* [Filter bypass](#jinja2---filter-bypass) - [Jinja2 - Debug Statement](#jinja2---debug-statement)
* [Jinjava](#jinjava) - [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
* [Basic injection](#jinjava---basic-injection) - [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
* [Command execution](#jinjava---command-execution) - [Jinja2 - Read remote file](#jinja2---read-remote-file)
* [Lessjs](#lessjs) - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
* [Mako](#mako) - [Jinja2 - Remote Code Execution](#jinja2---remote-code-execution)
* [Pebble](#pebble) - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
* [Basic injection](#pebble---basic-injection) - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
* [Code execution](#pebble---code-execution) - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
* [Ruby](#ruby) - [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
* [Basic injections](#ruby---basic-injections) - [Jinja2 - Filter bypass](#jinja2---filter-bypass)
* [Retrieve /etc/passwd](#ruby---retrieve-etcpasswd) - [Jinjava](#jinjava)
* [List files and directories](#ruby---list-files-and-directories) - [Jinjava - Basic injection](#jinjava---basic-injection)
* [Smarty](#smarty) - [Jinjava - Command execution](#jinjava---command-execution)
* [Twig](#twig) - [Lessjs](#lessjs)
* [Basic injection](#twig---basic-injection) - [Lessjs - SSRF / LFI](#lessjs---ssrf--lfi)
* [Template format](#twig---template-format) - [Lessjs < v3 - Command Execution](#lessjs--v3---command-execution)
* [Arbitrary File Reading](#twig---arbitrary-file-reading) - [Plugins](#plugins)
* [Code execution](#twig---code-execution) - [Mako](#mako)
* [Velocity](#velocity) - [Direct access to os from TemplateNamespace:](#direct-access-to-os-from-templatenamespace)
* [References](#references) - [Pebble](#pebble)
- [Pebble - Basic injection](#pebble---basic-injection)
- [Pebble - Code execution](#pebble---code-execution)
- [Ruby](#ruby)
- [Ruby - Basic injections](#ruby---basic-injections)
- [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
- [Ruby - List files and directories](#ruby---list-files-and-directories)
- [Ruby - Code execution](#ruby---code-execution)
- [Smarty](#smarty)
- [Twig](#twig)
- [Twig - Basic injection](#twig---basic-injection)
- [Twig - Template format](#twig---template-format)
- [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
- [Twig - Code execution](#twig---code-execution)
- [Velocity](#velocity)
- [References](#references)
## Tools ## Tools
@ -130,7 +145,7 @@ ${"".getClass().forName("java.lang.System").getDeclaredMethod("getProperty","".g
#{session.getAttribute("rtc").setAccessible(true)} #{session.getAttribute("rtc").setAccessible(true)}
#{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")} #{session.getAttribute("rtc").getRuntime().exec("/bin/bash -c whoami")}
// Method using processbuilder // Method using process builder
${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())} ${request.setAttribute("c","".getClass().forName("java.util.ArrayList").newInstance())}
${request.getAttribute("c").add("cmd.exe")} ${request.getAttribute("c").add("cmd.exe")}
${request.getAttribute("c").add("/k")} ${request.getAttribute("c").add("/k")}

View File

@ -61,7 +61,7 @@ If we can make the calculated hash string Zero-like, and provide "0" in the $coo
``` ```
We have control over 3 elements in the cookie: We have control over 3 elements in the cookie:
- $username - username you are targetting, probably "admin" - $username - username you are targeting, probably "admin"
- $hmac - the provided hash, "0" - $hmac - the provided hash, "0"
- $expiration - a UNIX timestamp, must be in the future - $expiration - a UNIX timestamp, must be in the future
@ -104,5 +104,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
## References ## References
* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/) * [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) * [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)

View File

@ -26,7 +26,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
## Methodology 2 ## Methodology 2
1. Find an unkeyed input for a Cache Poisoning 1. Find an un-keyed input for a Cache Poisoning
```js ```js
Values: User-Agent Values: User-Agent
Values: Cookie Values: Cookie
@ -37,7 +37,7 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
Header: X-Original-URL (Symfony) Header: X-Original-URL (Symfony)
Header: X-Rewrite-URL (Symfony) Header: X-Rewrite-URL (Symfony)
``` ```
2. Cache poisoning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website) 2. Cache poisoning attack - Example for `X-Forwarded-Host` un-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
```js ```js
GET /test?buster=123 HTTP/1.1 GET /test?buster=123 HTTP/1.1
Host: target.com Host: target.com

View File

@ -1,19 +1,21 @@
# XSLT Injection # XSLT Injection
> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code > Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
## Summary ## Summary
- [Tools](#tools) - [XSLT Injection](#xslt-injection)
- [Exploit](#exploit) - [Summary](#summary)
- [Determine the vendor and version](#determine-the-vendor-and-version) - [Tools](#tools)
- [External Entity](#external-entity) - [Exploit](#exploit)
- [Read files and SSRF using document](#read-files-and-ssrf-using-document) - [Determine the vendor and version](#determine-the-vendor-and-version)
- [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks) - [External Entity](#external-entity)
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper) - [Read files and SSRF using document](#read-files-and-ssrf-using-document)
- [Remote Code Execution with Java](#remote-code-execution-with-java) - [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
- [References](#references) - [Remote Code Execution with Java](#remote-code-execution-with-java)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
- [References](#references)
## Tools ## Tools

View File

@ -4,65 +4,100 @@ Cross-site scripting (XSS) is a type of computer security vulnerability typicall
## Summary ## Summary
- [Exploit code or POC](#exploit-code-or-poc) - [Cross Site Scripting](#cross-site-scripting)
- [Data grabber for XSS](#data-grabber-for-xss) - [Summary](#summary)
- [UI redressing](#ui-redressing) - [Exploit code or POC](#exploit-code-or-poc)
- [Javascript keylogger](#javascript-keylogger) - [Data grabber for XSS](#data-grabber-for-xss)
- [Other ways](#other-ways) - [CORS](#cors)
- [Identify an XSS endpoint](#identify-an-xss-endpoint) - [UI redressing](#ui-redressing)
- [XSS in HTML/Applications](#xss-in-htmlapplications) - [Javascript keylogger](#javascript-keylogger)
- [Common Payloads](#common-payloads) - [Other ways](#other-ways)
- [XSS using HTML5 tags](#xss-using-html5-tags) - [Identify an XSS endpoint](#identify-an-xss-endpoint)
- [XSS using a remote JS](#xss-using-a-remote-js) - [Tools](#tools)
- [XSS in hidden input](#xss-in-hidden-input) - [XSS in HTML/Applications](#xss-in-htmlapplications)
- [DOM based XSS](#dom-based-xss) - [Common Payloads](#common-payloads)
- [XSS in JS Context](#xss-in-js-context) - [XSS using HTML5 tags](#xss-using-html5-tags)
- [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri) - [XSS using a remote JS](#xss-using-a-remote-js)
- [XSS in files (XML/SVG/CSS/Flash/Markdown)](#xss-in-files) - [XSS in hidden input](#xss-in-hidden-input)
- [XSS in PostMessage](#xss-in-postmessage) - [XSS when payload is reflected capitalized](#xss-when-payload-is-reflected-capitalized)
- [Blind XSS](#blind-xss) - [DOM based XSS](#dom-based-xss)
- [XSS Hunter](#xss-hunter) - [XSS in JS Context](#xss-in-js-context)
- [Other Blind XSS tools](#other-blind-xss-tools) - [XSS in wrappers javascript and data URI](#xss-in-wrappers-javascript-and-data-uri)
- [Blind XSS endpoint](#blind-xss-endpoint) - [XSS in files](#xss-in-files)
- [Mutated XSS](#mutated-xss) - [XSS in XML](#xss-in-xml)
- [Polyglot XSS](#polyglot-xss) - [XSS in SVG](#xss-in-svg)
- [Filter Bypass and Exotic payloads](#filter-bypass-and-exotic-payloads) - [XSS in SVG (short)](#xss-in-svg-short)
- [Bypass case sensitive](#bypass-case-sensitive) - [XSS in Markdown](#xss-in-markdown)
- [Bypass tag blacklist](#bypass-tag-blacklist) - [XSS in SWF flash application](#xss-in-swf-flash-application)
- [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation) - [XSS in SWF flash application](#xss-in-swf-flash-application-1)
- [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag) - [XSS in CSS](#xss-in-css)
- [Bypass quotes for string](#bypass-quotes-for-string) - [XSS in PostMessage](#xss-in-postmessage)
- [Bypass quotes in script tag](#bypass-quotes-in-script-tag) - [Blind XSS](#blind-xss)
- [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event) - [XSS Hunter](#xss-hunter)
- [Bypass dot filter](#bypass-dot-filter) - [Other Blind XSS tools](#other-blind-xss-tools)
- [Bypass parenthesis for string](#bypass-parenthesis-for-string) - [Blind XSS endpoint](#blind-xss-endpoint)
- [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon) - [Tips](#tips)
- [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist) - [Mutated XSS](#mutated-xss)
- [Bypass space filter](#bypass-space-filter) - [Polyglot XSS](#polyglot-xss)
- [Bypass email filter](#bypass-email-filter) - [Filter Bypass and exotic payloads](#filter-bypass-and-exotic-payloads)
- [Bypass document blacklist](#bypass-document-blacklist) - [Bypass case sensitive](#bypass-case-sensitive)
- [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string) - [Bypass tag blacklist](#bypass-tag-blacklist)
- [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect) - [Bypass word blacklist with code evaluation](#bypass-word-blacklist-with-code-evaluation)
- [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert) - [Bypass with incomplete html tag](#bypass-with-incomplete-html-tag)
- [Bypass ">" using nothing](#bypass--using-nothing) - [Bypass quotes for string](#bypass-quotes-for-string)
- [Bypass "<" and ">" using and ](#bypass--and--using--and-) - [Bypass quotes in script tag](#bypass-quotes-in-script-tag)
- [Bypass ";" using another character](#bypass--using-another-character) - [Bypass quotes in mousedown event](#bypass-quotes-in-mousedown-event)
- [Bypass using HTML encoding](#bypass-using-html-encoding) - [Bypass dot filter](#bypass-dot-filter)
- [Bypass using Katana](#bypass-using-katana) - [Bypass parenthesis for string](#bypass-parenthesis-for-string)
- [Bypass using Cuneiform](#bypass-using-cuneiform) - [Bypass parenthesis and semi colon](#bypass-parenthesis-and-semi-colon)
- [Bypass using Lontara](#bypass-using-lontara) - [Bypass onxxxx= blacklist](#bypass-onxxxx-blacklist)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6) - [Bypass space filter](#bypass-space-filter)
- [Bypass using Octal encoding](#bypass-using-octal-encoding) - [Bypass email filter](#bypass-email-filter)
- [Bypass using Unicode](#bypass-using-unicode) - [Bypass document blacklist](#bypass-document-blacklist)
- [Bypass using UTF-7](#bypass-using-utf-7) - [Bypass using javascript inside a string](#bypass-using-javascript-inside-a-string)
- [Bypass using UTF-8](#bypass-using-utf-8) - [Bypass using an alternate way to redirect](#bypass-using-an-alternate-way-to-redirect)
- [Bypass using UTF-16be](#bypass-using-utf-16be) - [Bypass using an alternate way to execute an alert](#bypass-using-an-alternate-way-to-execute-an-alert)
- [Bypass using UTF-32](#bypass-using-utf-32) - [Bypass ">" using nothing](#bypass--using-nothing)
- [Bypass using BOM](#bypass-using-bom) - [Bypass "<" and ">" using and ](#bypass--and--using--and-)
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation) - [Bypass ";" using another character](#bypass--using-another-character)
- [Bypass using jsfuck](#bypass-using-jsfuck) - [Bypass using HTML encoding](#bypass-using-html-encoding)
- [CSP Bypass](#csp-bypass) - [Bypass using Katana](#bypass-using-katana)
- [Common WAF Bypass](#common-waf-bypass) - [Bypass using Cuneiform](#bypass-using-cuneiform)
- [Bypass using Lontara](#bypass-using-lontara)
- [Bypass using ECMAScript6](#bypass-using-ecmascript6)
- [Bypass using Octal encoding](#bypass-using-octal-encoding)
- [Bypass using Unicode](#bypass-using-unicode)
- [Bypass using UTF-7](#bypass-using-utf-7)
- [Bypass using UTF-8](#bypass-using-utf-8)
- [Bypass using UTF-16be](#bypass-using-utf-16be)
- [Bypass using UTF-32](#bypass-using-utf-32)
- [Bypass using BOM](#bypass-using-bom)
- [Bypass using weird encoding or native interpretation](#bypass-using-weird-encoding-or-native-interpretation)
- [Bypass using jsfuck](#bypass-using-jsfuck)
- [CSP Bypass](#csp-bypass)
- [Bypass CSP using JSONP from Google (Trick by @apfeifer27)](#bypass-csp-using-jsonp-from-google-trick-by-apfeifer27)
- [Bypass CSP by lab.wallarm.com](#bypass-csp-by-labwallarmcom)
- [Bypass CSP by Rhynorater](#bypass-csp-by-rhynorater)
- [Bypass CSP by @akita_zen](#bypass-csp-by-akita_zen)
- [Bypass CSP by @404death](#bypass-csp-by-404death)
- [Common WAF Bypass](#common-waf-bypass)
- [Cloudflare XSS Bypasses by @Bohdan Korzhynskyi](#cloudflare-xss-bypasses-by-bohdan-korzhynskyi)
- [25st January 2021](#25st-january-2021)
- [21st April 2020](#21st-april-2020)
- [22nd August 2019](#22nd-august-2019)
- [5th June 2019](#5th-june-2019)
- [3rd June 2019](#3rd-june-2019)
- [Cloudflare XSS Bypass - 22nd March 2019 (by @RakeshMane10)](#cloudflare-xss-bypass---22nd-march-2019-by-rakeshmane10)
- [Cloudflare XSS Bypass - 27th February 2018](#cloudflare-xss-bypass---27th-february-2018)
- [Chrome Auditor - 9th August 2018](#chrome-auditor---9th-august-2018)
- [Incapsula WAF Bypass by @Alra3ees- 8th March 2018](#incapsula-waf-bypass-by-alra3ees--8th-march-2018)
- [Incapsula WAF Bypass by @c0d3G33k - 11th September 2018](#incapsula-waf-bypass-by-c0d3g33k---11th-september-2018)
- [Incapsula WAF Bypass by @daveysec - 11th May 2019](#incapsula-waf-bypass-by-daveysec---11th-may-2019)
- [Akamai WAF Bypass by @zseano - 18th June 2018](#akamai-waf-bypass-by-zseano---18th-june-2018)
- [Akamai WAF Bypass by @s0md3v - 28th October 2018](#akamai-waf-bypass-by-s0md3v---28th-october-2018)
- [WordFence WAF Bypass by @brutelogic - 12th September 2018](#wordfence-waf-bypass-by-brutelogic---12th-september-2018)
- [Fortiweb WAF Bypass by @rezaduty - 9th July 2019](#fortiweb-waf-bypass-by-rezaduty---9th-july-2019)
- [References](#references)
@ -134,7 +169,7 @@ More exploits at [http://www.xss-payloads.com/payloads-list.html?a#category=all]
## Identify an XSS endpoint ## Identify an XSS endpoint
This payload opens the debugger in the developper console rather than triggering a popup alert box. This payload opens the debugger in the developer console rather than triggering a popup alert box.
```javascript ```javascript
<script>debugger;</script> <script>debugger;</script>
@ -154,7 +189,7 @@ Better payload replacing `<script>alert(1)</script>`:
<script>alert(document.domain.concat("\n").concat(window.origin))</script> <script>alert(document.domain.concat("\n").concat(window.origin))</script>
``` ```
While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developper console (doesn't require any interaction). While `alert()` is nice for reflected XSS it can quickly become a burden for stored XSS because it requires to close the popup for each execution, so `console.log()` can be used instead to display a message in the console of the developer console (doesn't require any interaction).
Example: Example:

View File

@ -25,7 +25,7 @@ Stored XSS with CSS injection - Hello {}*{xss:expression(open(alert(1)))}
Explanation of the vulnerability Explanation of the vulnerability
> The Meta element forces IEs document mode into IE7 compat which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert. > The Meta element forces IEs document mode into IE7 compatible which is required to execute expressions. Our persistent text {}*{xss:expression(open(alert(1)))is included on the page and in a realistic scenario it would be a profile page or maybe a shared status update which is viewable by other users. We use “open” to prevent client side DoS with repeated executions of alert.
> A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks theres another directory but the actual request is being sent to the document and that in essence is how an RPO attack works. > A simple request of “rpo.php/” makes the relative style load the page itself as a style sheet. The actual request is “/labs/xss_horror_show/chapter7/rpo.php/styles.css” the browser thinks theres another directory but the actual request is being sent to the document and that in essence is how an RPO attack works.
Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php` Demo 1 at `http://challenge.hackvertor.co.uk/xss_horror_show/chapter7/rpo.php`